0

SO I want to monitor multiple system calls mkdir, fork, write, open, pipe, read, rmdir, etc. I have gotten a kprobe solution to work where I can monitor a single system call. my First attempt at doing this was to create multiple system calls like so:

probe[0].symbol_name = "sys_mkdir";
probe[1].symbol_name = "sys_write";
int i;
for(i = 0; i < 2; i++)
{
    probe[i].pre_handler   = sysmon_intercept_before; /* called prior to function */
    probe[i].post_handler  = sysmon_intercept_after; /* called on function return */
    probe[i].fault_handler = sysmon_intercept_fault;
    if (register_kprobe(&probe[i]))
    {
        printk(KERN_ERR MODULE_NAME "register_kprobe failed\n");
        return -EFAULT;
    }
    printk(KERN_INFO MODULE_NAME "loaded probe: %d\n",i);
}

this crashes the VM So now I am looking for another way to monitor multiple system calls. My only idea so far is to fork the process. I know kprobe works on setting a register and then checking that register So I assume the reason it crashed earlier was because multiple kprobe instances tried to write to a single register. So Forking it seems like it might work because every system call monitor will have its own memory space (registers, heap, stack, etc). Any ideas would be greatly appreciated.

noztol
  • 494
  • 6
  • 25
  • Also take a look at jprobes. – Peter L. Oct 18 '13 at 16:51
  • On x86, kprobes usually work by setting software breakpoints, that is, replacing the first byte of an instruction of interest with 0xcc (int3 instruction). Suppose the first your kprobe registered successfully and the second one failed to register. If you unload your kernel module that sets them, `int3` set by the first kprobe will remain and when it triggers, it will lead to an unhandled exception and a system crash. Is that the crash you have seen? Is "breakpoint trap" mentioned there? I suggest to fix error handling first. – Eugene Oct 18 '13 at 20:09
  • 1
    Besides, what register are you talking about? What architecture it is? On x86, kprobes do not work this way (see my prev. comment). I doubt forking some processes will help. Let's first find out why the system crashed and why registering of the kprobes might have failed. If you could show the complete code of your kernel module, it would be easier to understand how to make it work. – Eugene Oct 18 '13 at 20:15
  • Eugene how do you handle that exception from the first comment? – noztol Oct 27 '13 at 14:20

0 Answers0